[Chameleon] how to make a secure application on win32

Sears, Jeremy Jeremy.Sears at CCRS.NRCan.gc.ca
Fri Mar 10 15:56:13 EST 2006 

Sweet, Thanks for the tip.
So if one were to use ms4w to serve maps on www, the bigest concern is with
apache and security issues with apache, rather than with chameleon and/or
map server?

Jeremy

-----Original Message-----
From: Paul Spencer [mailto:pspencer at dmsolutions.ca]
Sent: March 10, 2006 3:49 PM
To: Sears, Jeremy
Cc: chameleon at lists.maptools.org
Subject: Re: [Chameleon] how to make a secure application on win32


Jeremy,

the primary reason that ms4w includes that disclaimer is because  
earlier versions of apache included it.  Also, we are not warranting  
the software for production use.  That being said, the default  
configuration of ms4w is to prevent access to any directory except  
the 'htdocs' directory.  As far as I know, this is reasonably  
secure.  There may be additional things you can do in Apache to  
prevent certain hacks also ... I'm not an apache conf expert ;)

You shouldn't need to move stuff around, though.

Cheers

Paul

On 10-Mar-06, at 3:22 PM, Sears, Jeremy wrote:

> Hi all,
>
> Im wondering if anyone can point me to documents etc that describe  
> how to
> make a chameleon/mapserver application secure for use over the web.  
> We have
> developed an application on ms4w and wish to make it available via  
> http.
> Has anyone experience with this that could offer tips? On  
> maptools.org's
> ms4w download page they indicate that ms4w shouldnt be used for  
> production
> purposes. Does anyone know if ms4w can be made secure?
>
> I dont know much (anything really) about breaking into remote  
> servers. Is it
> naive to assume that the following setup would be secure. By secure  
> I mean
> an intruder would not be able to access mapserver's .map files to  
> obtain
> database passwords etc, nor able to access httpd.conf files or do  
> anything
> else besides look at the mapserver/chameleon output via valid http  
> requests.
>
>
> A setup:
>
> A windows server on a LAN, running the ms4w/chameleon package. The  
> ms4w/cham
> package installed in either a directory or a seperate partition of  
> a hard
> disk. This partition/directory is open to WAN via a proxy server  
> that can
> only access the the partition/ directory on wich ms4w is installed.  
> Only
> http requests can be made through the proxy to the ms4w/chameleon
> installation.
>
> As I mentioned, Im new to security issues. Any suggestions would be  
> great.
> Perhaps there is a more appropriate place to ask such a question?
>
> Thanks
> Jeremy
> _______________________________________________
> Chameleon mailing list
> Chameleon at lists.maptools.org
> http://lists.maptools.org/mailman/listinfo/chameleon

+-----------------------------------------------------------------+
|Paul Spencer                           pspencer at dmsolutions.ca   |
+-----------------------------------------------------------------+
|Applications & Software Development                              |
|DM Solutions Group Inc                 http://www.dmsolutions.ca/|
+-----------------------------------------------------------------+

More information about the Chameleon mailing list